home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: Security
/
Security.zip
/
swp401.zip
/
SWADMIN.HLP
(
.txt
)
< prev
next >
Wrap
OS/2 Help File
|
1996-06-12
|
49KB
|
1,416 lines
ΓòÉΓòÉΓòÉ 1. Cover ΓòÉΓòÉΓòÉ
THE SECURE WORKPLACE FOR OS/2
Version 4.01B
Copyright (c) Syntegration Inc. 1993, 1996.
All Rights Reserved.
3811 Schaefer Avenue, #J
Chino, California 91710
U.S.A.
Tel: 1-909-464-9450
Fax: 1-909-627-3541
E-Mail:73707.3331@COMPUSERVE.COM
World Wide Web URL: http://www.primenet.com/~syntegrn
ΓòÉΓòÉΓòÉ 2. License Agreement and Limited Warranty ΓòÉΓòÉΓòÉ
This program, including its code and documentation, appearance, structure and
organization is a product of Syntegration and is protected by copyright and
other laws. Title to the program or any copy, modification or merged portion of
the program shall at all times remain with Syntegration.
LICENSE - The following restricted rights are granted:
You may:
1. Use the Program only on a single computer. The Program may be transferred
to and used on another computer as long as the program is de-installed from
the original computer, and under no circumstances be used on more than one
computer at a time.
2. If you purchased an Enterprise Edition license for this Program, you may
use the Program on as many computers as you have licensed.
3. Transfer the Program with this license to another person, but only if the
other person agrees to accept the terms and conditions of this agreement.
If you transfer the Program and License, you must at the same time either
transfer all copies of the program and its documentation to the same person
or destroy those not transferred. Any transfer terminates your license.
4. Include the program as part of a system that you resell. If you include the
program as part of another system you must include this license agreement,
acknowledge our copyright in your system documentation, and comply with the
transfer clause.
YOU MAY NOT:
1. TRANSFER OR RENT THE PROGRAM OR USE, COPY OR MODIFY THE PROGRAM EXCEPT AS
PERMITTED IN THIS AGREEMENT.
2. DECOMPILE, REVERSE ASSEMBLE OR OTHERWISE REVERSE ENGINEER THE PROGRAM.
3. REPRODUCE, DISTRIBUTE OR REVISE THE PROGRAM DOCUMENTATION.
LIMITED WARRANTY
EXCEPT AS SPECIFICALLY STATED IN THIS AGREEMENT, THE PROGRAM IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
Syntegration warrants that the disk on which the Program is furnished will be
free from defects in materials and workmanship under normal use for a period of
90 days from the date of delivery to you.
ΓòÉΓòÉΓòÉ 3. Administrator's Guide ΓòÉΓòÉΓòÉ
Welcome to The Secure Workplace for OS/2 Administrators Guide.
You configure and administer the security and desktop management features
through the pages of Security Administration notebook. If you purchased and
Enterprise license then remote and network administration is also available.
Follow the procedure below to setup you system:
1. Configure the security policy
2. Decide whether and how to use Dynamic Passwords
3. Configure Desktop Management
4. Configure User Sign-ON
5. Decide whether and how to Audit system operations
6. Define Users
7. Define User Groups.
8. Granting User Privileges.
9. Test your configuration.
10. Determine how you will administer the system.
11. Put the Secure Workstation into production.
ΓòÉΓòÉΓòÉ 3.1. Security Policy ΓòÉΓòÉΓòÉ
Use the Policy page to specify your System Security Policy. If you purchased an
Enterprise license then all items on this page can also be configured by
running the setup program with a response file.
The Policy items are as Follows:
Grant public privileges by default
When you check this box The user will be granted full privileges to any
Workplace Object, File, or Directory that does not have an access control
definition. This has the effect of making items without privileges public.
When you leave this box unchecked, items without privileges will
automatically be protected.
Update User info from Network directory
When you check this box The Secure Workplace will update Users, Groups, and
Privileges from a data file in The network directory. This update occurs
just after a user signs on to the workstation. With this feature you do not
have to add users and privileges to each workstation manually. Just copy
the Security Profile (SECUREWP.INI) to the network directory You can
configure this feature with any edition of the product, but it is only
implemented in the Enterprise Edition. If you want to use this feature then
purchase an Enterprise license.
Minimum Password Length
This spin button allows you to set the minimum password length allowed.
This policy is enforced when users attempt to change their password.
Existing passwords are not affected.
Invalid Sign-on attempts
This field sets the allowed number of invalid sign-on attempts. When the
specified number of illegal sign-on attempts are reached the system will
lock until an administrator signs-on. You can disable this feature by
setting the value to zero. to
Expire User Passwords
Check this box to force users to change their passwords after a specified
number of logins. The number of allowed sign-ons are specified in each
user's definition. See the Page 1 in the User Tab. This feature is enforced
when you use local authentication.
Disable Keyboard reboot
Check this box to disable the use of the <CTRL+ALT+DEL> key combination.
Disable Archive Recovery
Check this box to prevent users from restoring desktops with <ALT+F1> at
system startup.
Activate screen saver after timeout
Check this box to activate the screen saver after the workstation has been
inactive for the specified number of minutes. The unlock password
automatically changes to the user's sign-on password. This unlock password
is encrypted and stored in dynamic memory (RAM). You can be assured that it
is safe from prying eyes. All other aspects of the screen saver are
configurable from the Lockup Tab in the Desktop settings notebook.
Administrators can always unlock the workstation with a dynamic password.
Screen Saver timeout
Sets the number of minutes of inactivity you want to allow before the
system locks the keyboard and mouse.
See Also:
1. Define Users
2. Define User Groups.
3. Define User Privileges.
ΓòÉΓòÉΓòÉ 3.2. Using Dynamic Passwords ΓòÉΓòÉΓòÉ
Dynamic Passwords are our software implementation of Smart Card Technology.
These passwords are are based on the system time, system date, and a Seed
string that you specify. With this implementation you can define a dynamic
password that is unique to your organization, department, or network domain.
If you purchased an Enterprise license then all items on this page can also be
configured by running the setup program (SSETUP.EXE) with a response file.
Administrators can set this feature to obtain administrative privileges on a
workstation. Since the password is valid for a short period of time, it doesn't
matter if users look on when an Administrative password is being entered at the
sign-on window.
A companion password generator program (PASSWORD.EXE) runs on a separate
machine. Perhaps at a help desk or in the administrator's office. You enter the
date, time, and period. The password generator gives you the dynamic password
for the date, time, and period you specified.
Each workstation can be configured to use a different Dynamic password seed. By
default, the initial seed value is "PASSWORD". The seed value can be set in the
security administration notebook or during setup when you use a response file.
You should make sure that the machine running the password generator program
has the same seed string as the machine whose password you wish to discover.
Administrators use Dynamic Passwords
Check this box to force administrators to use dynamic passwords for local
authentication.
Dynamic Passwords change
Select one of the buttons to configure the dynamic password period. Dynamic
passwords can be configured to change every minute, every hour, or every
day.
Change Dynamic Password Seed
Check this box to allow changes to the seed string.
To change the seed, open the Security Administration notebook and turn to page
2 of the Policy Tab. Type the current seed into the entry field, then type the
new seed twice into the respective new seed fields. Press the "Change"
pushbutton once the fields are filled in.
Special Note In the Standard and Evaluation editions, Dynamic passwords are
based only on the system clock. Enter the password as YYYYMMDDHHmm where YYYY
is the year, MM is the month, DD is the day, HH is the hour, and mm is the
minute. These system clock values are displayed in the sign-on window for your
convenience.
ΓòÉΓòÉΓòÉ 3.3. Configuring Multiple Desktop Management ΓòÉΓòÉΓòÉ
Use the Desktops Page in the Security Administration notebook to configure you
system for multiple desktop management. If you purchased an Enterprise license
then all items on this page can also be configured by running the setup program
(SSETUP.EXE) with a response file.
The settings on this page allows such flexibility that we cannot possibly
enumerate all the options you might take. You should take note that the actual
movement of desktops are controlled by programs that run in the background. We
supply the Traveling Workplace to do this work. You can also use a third party
product or write your own program as long as it fits inside the scheme we have
provided.
Here are your options:
Manage multiple desktops
Check this box to activate multiple desktop management. When you check this
box the CONFIG.SYS file is updated. You must shutdown and restart the
workstation for the changes to take effect. On the next and subsequent
system startups the SWMANAGE.EXE program runs before the Workplace Shell is
invoked. SWMANAGE.EXE allows the user to sign-on, it executes the desktop
management commands, and starts the workplace shell.
Save Desktop when User Signs off
Instructs The Secure workplace to run the Save desktop command just before
signing the user off. Check this box if you want to permit users to change
their desktops and to save these changes. If you decide to use the
Traveling Workplace switching strategy then this is not necessary. Be sure
to enter and test the save command.
Reset Desktop at Startup
Instructs The Secure workplace to run the Reset Desktop command when the
System starts and before a user signs-on. If you want to ensure that the
system starts with the same default desktop this is a good idea. The reset
command might wipe out any desktops left behind by the last user. The reset
command should rely on resources local to the workstation because it occurs
before user sign-on. You can use Traveling Workplace to backup a desktop
into an archive directory on a local harddrive, Then enter a Reset command
to restore this local desktop. The restored desktop should be small enough
to be restored quickly. It might have enough resources to allow an
administrator to perform maintenance or it might have resources to allow a
user to work at the workstation when the network is down. Your might also
want to consider this desktop for notebook computers that are
intermittently disconnected from from your network.
Desktop Build Before WPS Command
Enter a command to be executed before the Workplace shell is started. If
you leave this field blank then the active desktop is used. Press the
defaults button to get the Traveling Workplace /RESTORE command. You can
also use the Traveling workplace /SWITCH or /NEW strategy options here
Desktop Build After WPS Command
Enter a command to be executed after the Workplace Shell is started. If you
leave this field blank then nothing happens. Press the defaults button to
get the default Object Editor command.
Desktop Save Command
Enter a command to be executed just before the user signs off. Press the
defaults button to get the default Traveling Workplace /BACKUP command.
This command will not be invoked unless you check the Save Desktop when
user sign-off option.
Desktop Reset Command
Enter a command to be executed when the system starts. Press the defaults
button to get the Traveling Workplace /RESTORE command. This command will
not be invoked unless you check the Reset Desktop at System Startup option.
See Specifying commands for more details.
Desktop Management Strategies
As we said before, you options are innumerable. The following is a list of
scenarios that employ tools we supply or support.
1. Users see different views of the same desktop
This is perhaps the simpliest and fastest strategy because the desktop
remains the same. By assigning user privileges to desktop objects you can
let users see only the objects they have permission to use. See simple
instructions for granting user privileges for details. If you want to
update the desktop periodically or to protect against changes then:
a. Check Multiple Desktop Management.
b. Uncheck Reset Desktop at Startup.
c. Uncheck Save Desktop when user signs off.
d. Remove or blank the Desktop Build After WPS command.
e. Enter a Desktop Build Before WPS Command to restore the desktop from a
local or network archive. If you choose to restore from a network
archive then you can periodically update the desktop without going to
the workstation.
2. Switching between on-line Desktops
Use the Traveling Workplace switching strategy to switch between on-line
desktops that reside on the local workstation. This strategy is invoked by
the the Traveling Workplace /SWITCH option. Switching is usually much
faster than restoring. However it will not allow a user to move from one
workstation to another and get the same desktop every time. We recommend
this option if you have a limited number of desktops, users do not move
between workstations, and speed is essential. You must setup pre-existing
desktops before invoking this strategy. See the Traveling Workplace
reference manual for details. Here are some basic instructions.
a. Refer to the Traveling Workplace Reference for details. Pay special
attention to the sections on multi-user setup.
b. Start The Traveling Workplace.
c. Select an Archive Directory.
d. Set Traveling Workplace preferences.
1. Disable the cleanup after Restore option (ie.Create a new Desktop).
2. Disable the re-use default names option.
3. Disable the Update CONFIG.SYS Option
4. Set the number of on-line workplaces to the number of desktops you
will support.
e. Backup the desktop into the archive directory.
f. Restore the Desktop from archive to build a new desktop (ie.Desktop0).
g. Restore the Desktop from archive as many times as you want new
desktops.
h. Switch between desktops and remove or add icons to fit the users needs
i. Test the Traveling Workplace /SWITCH command from a command prompt to
develop set of parameters to fit your needs.
j. Check the Manage Multiple Desktops option.
k. Uncheck the Save Desktop at user sign off option
l. Uncheck the Reset Desktop at System Startup option.
m. Enter the Switch command you developed into the Build Before WPS
command field.
n. Define User class names to represent each desktop you will support.
User Class names are defined on Page 3 of the User Definition Tab. Use
Class names like "Desktop0", "Desktop1", "Desktop2", etc. These names
are the names available with the Traveling Workplace /DESKTOP
parameter.
o. Define User class names to represent each desktop you will support.
3. Restore Desktop from archive
Use the Traveling Workplace restore strategy to update the desktop for
each user or user group that signs-on to the workstation. This is your
most flexible strategy. It is designed to be used with the Traveling
Workplace /RESTORE option. You can restore a desktop from an archive
directory that resides on the local workstation or on a network file
server. With this option you can let a user move between workstations and
get the same desktop every time. If the archive directory is on a file
server then you can dynamically update the restored desktop withour having
to take a trip to the workstation. You can allow a user to save changes by
adding a Save Icon to the restored desktop. This Save Icon could invoke
Traveling Workplace with the /BACKUP option. We recommend this strategy
when you have a large number of users, Users share workstations, users
move between workstations, Workstations are networked, you want maximum
assurance that desktops remain the same, you want to dynamically update
the desktop. We believe the restore strategy will be faster than the build
strategy but slower than the switch strategy. See the Traveling Workplace
reference manual for further details. Here are some basic instructions.
a. Refer to the Traveling Workplace Reference for details. Pay special
attention to the sections on multi-user setup.
b. Start The Traveling Workplace.
c. Set Traveling Workplace preferences.
1. Disable the cleanup after Restore option (ie.Create a new Desktop).
2. Disable the re-use default names option.
3. Disable the Update CONFIG.SYS Option
4. Set the number of on-line workplaces to the number of desktops you
will support.
d. Select an Archive Directory for the user or user group.
e. Backup the desktop into the archive directory.
f. Restore the Desktop from archive to build a new desktop.
g. Configure the desktop for the user or group. You achieve this by adding
or removing icons to fit the user's needs.
h. Backup the new desktop into the archive directory.
i. Repeat these steps for each user or user group.
j. Test the Traveling Workplace /RESTORE command from a command prompt to
develop set of parameters to fit your needs. You will want to use the
/NOUPDATE parameter to prevent the CONFIG.SYS from being changed.
k. Check the Manage Multiple Desktops option.
l. Uncheck the Save Desktop at user sign off option
m. Uncheck the Reset Desktop at System Startup option.
n. Enter the Restore command you developed into the Build Before WPS
command field. Use the %ARCHIVE substitution keyword with the /loc
parameter (ie./loc=%ARCHIVE).
o. Define an archive directory for each user or user class. Archive
directories are defined on Page 3 of the User Definition Tab. The
user's archive directory is used when you specify %ARCHIVE on the build
command. The Traveling Workplace /LOC parameter is designed to accept
an archive directory.
Special Note The Traveling Workplace cannot change the desktop
directory name with the /RESTORE option when it restores before the
Workplace Shell starts. Instead the product uses the same desktop
directory name that was assigned when the desktop was saved. This may
have the side effect of replacing an existing desktop including the
default or boot-up desktop. This effect is not necessarily a bad thing,
but you should be aware that it can happen. Suppose a user signs on and
his restore procedure fails because his archive directory was not
available or empty. If the last user replaced the default desktop then
the new user will get the last user's desktop. You can avoid this
effect by ensuring the archived desktops use a name other than the
default desktop name. Here is a procedure that will help you to avoid
this problem.
1. Start the Workplace Shell
2. Start the Traveling Workplace and switch to the default desktop.
(\DESKTOP)
3. Turn off the Traveling Workplace Clean up after preference.
4. Remove all other on-line desktops from you system.
5. Backup and restore this desktop to create new desktop (\DESKTOP0)
6. Backup this desktop to the user archives.
7. Turn on Multiple desktop management and reboot you system to make it
active.
8. Now every time a user signs on and restores with the Build Before
WPS command the restore procedure replaces the \DESKTOP0 directory,
OS20.INI file, and the OS2SYS0.INI.
1. Use the workplace shell drive folder to change the default desktop
directory name to something like DEFDESK. Copy the user and system
profiles to a uniques name like DEF.INI and DEFSYS.INI. Update the
CONFIG.SYS to use these unique names.
2. Backup and restore the default or boot-up desktop to create a
desktop name like DESKTOPA. this desktop name should never clash
with a restored desktop name.
3. If you need help call technical support.
4. Build a new desktop
Use this strategy when you want to dynamically create objects on a blank
desktop. To do this you must specify a build before and a build after
command. The Build before command is executed before the workplace shell
starts and the build after executes after the workplace shall starts. Use
the build before command to create a blank desktop. Use the build after
command to create the objects in the desktop. The Traveling Workplace /NEW
parameter can create a blank desktop for you. The Object Editor can
populate this blank desktop with objects.
5. User sees only Network Applications
In this scenario you use IBM LANSERVER or IBM WARPSERVER and have already
assigned network applications. You decide to use the User Profile Manager
Domain for Single Signon. The user is not defined locally or you deny
access to the desktop. In this scenario all local desktop objects are
invisible. The Network applications folder and its contents are visible.
Here are some basic instructions.
a. Turn off multiple desktop management.
b. Configure single sign-on for User Profile Manager Domain.
c. Remove all user privileges or set them such that the default desktop
objects are invisible.
d. The Secure Workplace will leave The Network Applications folder and its
contents alone and let your network operating system manage them.
ΓòÉΓòÉΓòÉ 3.4. Configuring User Sign-ON ΓòÉΓòÉΓòÉ
Configure user Sign-ON operations in the Signon page of the Security
Administration notebook. If you purchased an Enterprise license then all items
on this page can also be configured by running the setup program (SSETUP.EXE)
with a response file.
At start-up The Secure Workplace for OS/2 displays a sign-on window that
prompts the user for and Identification name and a password. The product also
provides Single Sign-On to any network operating system or remote host. With
this feature you can configure the system such that users need only identify
and authenticate once.
If you use Single Sign-ON and you have a network requester installed, then you
should consider updating the AUTOSTART parameter in your CONFIG.SYS File. The
AUTOSTART CONNECTIONS options will sometimes cause a network logon window to
appear at system startup. By removing the CONNECTIONS option you can prevent
this from occurring.
The Logon operation allows a user to enter a UserID and password. After these
authentication values are entered the logon procedure will be executed. If the
logon procedure completes with a return code of zero, then the build procedure
is executed. In this way you can configure a logon environment using existing
programs such as your network operating system's login program. to customize
the environment you can create your own scripts.
Auto Guest
When you choose this option the system will automatically authenticate the
Guest User and bypass the sign-on window. The Guest user is defined in the
CONFIG.SYS by assigning the GUESTNAME environment variable. The Guest User
has no privileges unless you assign them.
Local Authentication
When you choose this option the system allows users to decide whether to
signon to the local workstation. A corresponding local signon checkbox will
be available in the login window. You should allow local authentication if
you use the workstation in a stand-alone mode.
Single Sign-ON Options
Select one of the Single Sign-ON options described below. When you choose
an option other than none, The system allows the selected login procedure
to authenticate the user. The advantage of single signon in a network
environment is that you need only manage passwords in one place - on the
server.
None
The None option implies that the Security System will not execute any
external user authentication procedure. If this option is selected then
local authentication is perform unless AutoGuest is selected.
User Profile Manager Domain
The User Profile Manager (UPM) Domain option is appropriate when you have a
IBM LANServer or IBM WARPServer network. To use this option you must first
install the IBM Network Requester.
User Profile Manager Node
The User Profile Manager Domain option is appropriate whe you have a IBM
DB2 Server on a network. To use this option you must first install the
necessary IBM products.
User Profile Manager Local
The User Profile Manager (UPM) Local option is appropriate when you have
IBM WARP CONNECT, DB2, LANSERVER, WARPSERVER, TCP/IP, COMMUNICATIONS
MANAGER/2, or any other IBM product that installs UPM on your local
workstation.
Network SignON Coordinator
Choose this option to sign-on using IBM Network SignON Coordinator (NSC).
NSC can be used for logins to Novell Netware, IBM LANServer, IBM WARP
Server, and APPC Host. You must first configure the NSC.INI file and test
it before commiting to this option.
Custom Program
Choose this option to execute a background authentication program. You pass
the USERID and PASSWORD entered by the user to this authentication program.
The program should return an exit code of zero to signal that the user is
correctly authenticated. If need to use third party authentication programs
or custom in-house programs for sign-on and authentication then this is
your option of choice. UPM and NSC can also be used here.
Custom Sign-ON command
This command is executed when you have selected the Custom Single Sign-On
option and after the user and password are entered. Successful completion
is indicated by a return code of zero. You should specify the %USER and the
%PASSWORD. keywords to pass the user name and password to the custom
program.
Custom Sign-OFF command
This command is executed to perform a user logoff. Enter your logoff
program in the field.
Change Password
This command is used to change user passwords when you choose a custom
program for Single Sign-on
UPM Remote or domain name
Enter a field that specifies the UPM remote or Domain. This field is
required for UPM node logon and can be used during UPM Domain logon. The
user will also have an opportunity to change this value at sign-on time.
The Secure Workplace for OS/2 invokes User Profile Manager directly when you
choose one of the UPM options. To enable this feature you must first install
an IBM product that contains UPM. Make sure the the UPM32.DLL file is
available and in the LIBPATH.
The Secure Workplace for OS/2 invokes Network Signon coordinator directly when
you choose the NSC option. To enable this feature you must first install and
configure NSC. Make sure that the NSCAPI.DLL file is available and in the
LIBPATH.
See Also:
Specifying commands
ΓòÉΓòÉΓòÉ 3.5. Auditing your system ΓòÉΓòÉΓòÉ
The Audit page in the Security Administration notebook allows you to configure
your secure workplace for audit operations. The audit information records the
operations that take place you computer. The Audit or log file can be located
on a workstation or on a network file server. The following parameters allow
you to configure your workstation for auditing.
If you purchased an Enterprise license then All items on this page can also be
configured by running the setup program with a response file.
Enable Auditing
Specifies whether the workstation will audit events to the log file.
Log to local file
Tells the system to write all events to the local log file. This option is
ignored if auditing is disabled.
Log to remote file
Tells the system to write all events to the remote log file. This option is
ignored unless auditing is enabled, User logon is enabled, and user logon
is verified.
Switch to remote on logon
Tells the system to write events to the remote log file when a user logon
is verified.
Local Log File
Specifies the path and filename of the log file on the workstation.
Remote Log File
Specifies the path and filename of the file server log file.
Station Name
Specifies a unique name for your workstation. This name will be used by the
audit facility to identify your workstation in the log file. You should
configure the station name in a network environment with more than one
workstation.
The log file can be viewed with any text editor or browser. You are
responsible for managing the log file. We intend to supply a log file viewer
in a future version.
Audit operations occur in the background. You will not be alerted if the log
file names you specify are incorrect. Check the filename carefully, then
verify that the audit information is being written.
The Audit system is fault tolerant. If the audit files are invalid the system
will bypass the audit step without a perceptable delay. The audit facilty will
detect errors like
o File not found
o Path not found
o Invalid File name
o Disk full
o File Write protected
In a network environment where the remote log file is shared between multiple
workstations the audit facility waits for write access. The audit system will
wait 5 seconds and retry the write operation at 64 millisecond intervals.
After 5 seconds the system will abandon the write operation.
ΓòÉΓòÉΓòÉ 3.6. Defining Users ΓòÉΓòÉΓòÉ
Users are defined in the Security Administration notebook. Three pages are
available in the User Tab. If you purchased an Enterprise license then The user
definitions can be automatically updated from the SECUREWP.INI file residing in
the Network directory.
The User definition items are as follows.
User
Type a unique user name in this field. If you intend to use Single Sign-ON
then the user name should correspond to a pre-existing name that you have
defined elsewhere. You can also select users that have already been
defined by pressing the drop down list button to the right of the entry
field.
Description
Enter the users full name or some other description here. You can use up to
40 characters for this purpose.
User Type
Select Normal or Administrator. Normal users have there privileges set by
administrators. Administrators have full privileges.
User Active
Allows you to temporarily deactivate the user without removing the
definition.
Use Dynamic Password
Forces a user to enter a dynamic password. This feature applies to local
administrators only.
Sign-ons before password expires
Select the number of times a user can sign-on before a password change is
required. This value is enforced when local authentocation is used.
Sign-ons since password changed
This report item keeps a count of the number of times a user has signed on
since the last password change. You can reset this value to invalidate a
password. Changing the password resets this value.
User Class Name
Class names are defined on page three of the user tab. Enter a class name
for the user. This string is used as the %CLASS substitution parameter for
multiple desktop management. A class name is intended as an alternate
method for grouping users. Examples class names are STUDENT, INSTRUCT,
MANAGER, TELLER, SALES, CLERK, or ACCOUNTS. Class names are managed
separately from User Groups, but there is nothing to prevent you from
creating user groups that exactly match the class names you define. class
names can be used to represent filenames, subdirectories, a filename
prefix, a filename suffix, or any other purpose.
Archive Directory
The user's archive directory is defined on page three of the User tab.
Enter an archive directory for the user. This string is used as the
%ARCHIVE substitution parameter for multiple desktop management. You can
assign the same directory to more than one user.
Adding a User
1. Type a user name in the user field.
2. Type a user description in the description field.
3. Select a user type.
4. Make any other selections on page one.
5. Press the Add button.
Changing a user definition
1. Turn to the page containing the information you want to change.
2. Select a user from the drop down list.
3. Make the changes you require.
4. Press the Save button.
Deleting a user
1. Turn to page 1 of the User tab.
2. Select a user from the drop down list.
3. Press the Delete button.
Changing a user password
1. Turn to page 2 in the User tab.
2. Select a user from the drop down list.
3. Enter the current password.
4. Enter the new password twice.
5. Press the change button button.
User password changes can also be performed at the sign-on window.
Press the Clear button to cancel any operation you started.
See Also:
o User Groups.
o User Privileges.
ΓòÉΓòÉΓòÉ 3.7. Defining Groups ΓòÉΓòÉΓòÉ
Users Groups are defined on the Group page in the Security Administration
notebook. If you purchased an Enterprise license then The Group definitions can
be automatically updated from the SECUREWP.INI file residing in the Network
directory.
User Groups are used to reduce the labor of assigning User privileges. The
Items are described in the following paragraphs.
Groups
You can enter new group name in the entry field or select from any of the
existing groups in the drop down list.
Group Description
Enter any description you desire. The description can be up to 40
characters in length.
Include Everyone
Check this box to automatically include every defined user in the group.
New users will will automatically be included as well. Use this option to
create EVERYONE groups.
Users in Group
The list of users currently in the group. This list is ignored when the
Include Every box is checked.
Adding a Group
1. Type a Group name in the Group field.
2. Enter a description in the description field.
3. Check or uncheck the Include Everyone box.
4. Select from the Users list then press the Include button.
5. Select from the Users In Group List then press the Remove Button.
6. Press the Add button.
Changing a Group
1. Select a Group from the list.
2. Check or uncheck the Include Everyone box.
3. Select from the Users List then press the Include Button.
4. Select from the Users In Group List then press the Remove Button.
5. Press the Save button.
Deleting a Group
1. Turn to Group tab.
2. Select a Group from the drop down list.
3. Press the Delete button.
Press the Clear button to cancel any operation.
See Also:
o Defining Users.
o Assigning User Privileges.
ΓòÉΓòÉΓòÉ 3.8. Specifying Commands ΓòÉΓòÉΓòÉ
The Desktop Management and User Signon configuration ask you to enter commands
that will be executed at appropriate times. The commands specify programs and
program parameters that execute in the background without user interaction. For
instance Syntegration Inc. Supplies programs such as Traveling Workplace
(TWKPLACE.EXE), Object Editor (OBJEDIT.EXE) and System Setup (SSETUP.EXE) that
can operate in a non-interactive mode. You can also write your own REXX program
or batch file to perform the required tasks.
Commands consist of a program file name followed by program parameters. The
program file name consists of the filename and extension. Examples of valid
program file names are CMD.EXE, TWKPLACE.EXE, OBJEDIT.EXE, and SSETUP.EXE. File
names without extensions are invalid. Examples of invalid program file names
are CMD, TWKPLACE, OBJEDIT SSETUP. If the program file does not reside in a
directory in the PATH, the program name should be fully qualified. An example
of a fully qualified program file is C:\SWP\BIN\TWKPLACE.EXE
Program parameters are used by the program to tell it what to do. Parameters
are separate from the program file name by a space. You should also separate
multiple parameters by spaces to insure that the program recognizes them
correctly. You can specify substitution keywords in commands. These keywords
will be translated by The Secure Workplace before executing the command. For
example, %USER will be translated to the UserID entered when a user signs-on.
The substitution keywords are:
Keyword Description
%USER The user ID as entered at login.
%PASSWORD The password as entered at login.
%LOGFILE The current log file name.
%STATION The station name assigned to the computer.
%ARCHIVE The User's Archive directory.
%CLASS The User's Class name.
%NEWPWD The User's new password.
%REMOTE The UPM remote or domain name.
You should note that user specific keywords are not available before a user
signs on.
If you use a REXX command or batch file to perform a procedure it must be
invoked by the CMD.EXE program with the /C parameter. An example REXX command
follows.
CMD.EXE /C RESTORE.CMD %ARCHIVE
In this example the, RESTORE.CMD file is executed with the user's archive
directory as its sole parameter.
ΓòÉΓòÉΓòÉ 3.9. Remote and network administration ΓòÉΓòÉΓòÉ
If you purchased an Enterprise license the The Secure Workplace for OS/2 will
contain additional features that you can use for network and remote
administration. These are response file management and Network updates
Response file management
In the Enterprise edition, the System Setup (SSETUP.EXE) program can accept a
response file parameter on the command line that can to use to completely
change the administrative settings. You can use the program for unattended
software distribution and administration. The product includes an example
response file (SSETUP.RSP) that you can modify to fit your needs. The System
Setup Program requires the Presentation Manager. You must install OS/2 before
using it. Here are a few of the ways you can use these features:
1. With IBM NetView Distribution Manager/2.
2. With the Redirected Installation and Configuration (CID) component of IBM
LANServer or IBM WARPServer.
3. With other Network Management or Software Distribution products.
4. As part of network logon script you develop to update the security
settings.
5. As part of a custom REXX program you develop to administer disconnected
workstations or notebooks at remote locations.
Network Updates
In the Enterprise edition you can implement automatic updates from the network
directory specified during installation or setup. The network directory is
specified in the SWPNETPATH environment variable. The product updates User
definitions, User Group definitions, and User Privilege assignments from the
SECUREWP.INI file whenever a user signs-on. With this capability minimizes
administrative labor by assigning a central location for distributing new user
privileges. Here are some basic instructions:
1. Create a network directory and alias that will be visible to all users.
Lets say that you assigned drive S: and directory S:\SWPADMIN
2. Grant read only access to the users.
3. When you install The Secure Workplace for OS/2 at the workstation, specify
S:\SWADMIN as the network directory.
4. However you administer the workstation set the Security policy to Update
User Information from Network directory.
5. Define users and privileges on your test or Administrative Workstation.
6. Copy the Security Profile SECUREWP.INI to the network directory.
Your local SECUREWP.INI file is hidden, read-only, and the contents are
encrypted. This file is usually located in the install directory. The
XCOPY command with the /H parameter can handle the movement of this file
to the network directory. Once its in the network directory you can remove
the hidden attribute with the ATTRIB command.
7. Whenever you add a new user update the network directory.
8. In a future version we promise to simplify this process by adding import,
export, and response file capabilities to the Security Administration
program.
ΓòÉΓòÉΓòÉ 4. Assigning User and Group Privileges ΓòÉΓòÉΓòÉ
After you have installed The Secure Workplace and rebooted your computer
Privilege pages are added to every Workplace Object's settings notebook. These
pages are grouped under a Privileges tab. You can use this interface to assign
user or group privileges for Files, Directories, and Workplace Shell objects.
For the purpose of this discussion and your own general understanding we will
refer to Files, Subdirectories, and Workplace Shell objects with the term
object.
Administrators grant users or groups privileges to objects. A user or group can
be granted the privilege to see, open, execute, copy, move, delete, rename,
shadow, drag, drop, read, write or change attributes of an object. These and
other privileges are based on Workplace Object pop-up menu items, Workplace
Object styles, and File Access operations.
When an object has no user privileges, The Secure Workplace searches up the
parent chain of the directory tree to find the first parent with an assigned
privilege. In the case of desktop objects the search stops when the desktop is
reached. In the case of objects outside the desktop the search stops when the
root directory is reached. In other words, objects with no assigned user
privileges inherit the privileges of a parent folder or directory. If no
assigned privilege is found then the user is granted default privileges.
Default privileges may be FULL or NONE depending on the option you choose on
the Security Policy page. Administrative labor is minimized by assigning
privileges to folders and directories at the highest levels of the directory
tree.
See Also.
o Basic Privileges
o Folder menu privileges
o Desktop menu privileges
o Disk menu privileges
o Adding User Privileges
o Changing User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
To get to an object's Privilege page
1. Move your mouse pointer over the object.
2. Press the right mouse button to bring up the pop-up menu.
3. Select the Settings option.
4. Turn to the Privileges tab.
ΓòÉΓòÉΓòÉ 4.1. Basic privileges ΓòÉΓòÉΓòÉ
Administrators can grant basic privileges for every object. These are:
Copy
Check this box to allow the user to copy the object from one folder to
another. When you uncheck this box the Copy... item is removed from the
object's pop-up menu. and NO COPY is enforced.
Move
Check this box to allow the user to move the object between folders. When
you uncheck this box the Move... item is removed from the object's pop-up
menu and NO MOVE is enforced. If Drag is allowed the user can still
relocate the object inside its original folder.
Delete
Check this box to allow the user to delete the object. Uncheck this box to
remove the Delete... item from the object's pop-up menu. With this
permission removed the user cannot delete the object with a delete key or
by dropping it on the shredder. The file access control driver gives
additional protection from command prompts and file manager programs.
Shadow
Check this box to allow the user to creates shadows of the object. When you
uncheck this box the Create Shadow... item is removed from the object's
pop-up menu. and the NO SHADOW style is enforced.
Rename
Check this box to allow users to change the object's title. Uncheck the box
to remove the permission. When the permission is removed the user cannot
change object's title or filename. Attempts to change the title through the
general page in the settings notebook or by direct manipulation will fail.
The file access control driver also enforces this privilege to give
additional protection from command prompts and other programs.
Drag
Check this box to allow the user to drag the object. Remove the checkmark
to prevent the object from being dragged with the right mouse button. The
Pickup menu choice will also be removed.
Drop
Check this box to allow the user to drop other objects onto the object.
When you remove this privilege, nothing can be dropped on or into the
object. This can be particularly helpful for folders.
Settings
Check this box to allow the user to open the object's settings notebook.
Deny this privilege to prevent the user from changing the object's
settings.
Visible
Check this box to allow the user to see the object. Deny this privilege to
prevent the user from seeing the object. This is the most basic privilege.
If the user cannot see the object he cannot perform any operations on it.
Open or Execute
Check this box to let the user open the object. Deny this privilege to
prevent the user opening the object. This is the second basic privilege.
This permission is also enforced by the file access control driver.
Read
Check this box to let the user open the file for read access. Deny this
privilege to prevent the user from reading the file. This permission is
enforced by the file access control driver.
Write
Check this box to let the user open the file for write access. Deny this
privilege to prevent the user from writing to the file. This permission is
enforced by the file access control driver.
Attribute
Check this box to let the user change the file attributes. Deny this
privilege to prevent the user from changing file attributes. This
permission is enforced by the file access control driver.
Create
UnCheck this box to deny user access to the Create Another... item in the
object's pop-up menu. With this permission removed the user cannot use the
popup menu to create another object.
Help
Check this box to grant user access to the Help item on the object's pop-up
menu. Denying this privilege does not prevent the user from gaining access
to the help system through some other avenue.
See Also.
o Folder menu privileges
o Desktop menu privileges
o Disk menu privileges
o Adding User Privileges
o Changing User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.2. Folder menu privileges ΓòÉΓòÉΓòÉ
The folder menu privilege page lets you assign user privileges for the folder
pop-up menu items. Each checkbox controls a different pop-up menu item. These
items behave as follows:
Select
Check this box to grant user access to the Select item in the folder's
pop-up menu. Deny this privilege to prevent the user from selecting or
deselecting all objects in the folder. It does not prevent object selection
with the mouse.
Sort
Check this box to grant user access to the Sort item in the folder's pop-up
menu. Deny this privilege to prevent the user from manually sorting the
objects in the folder. This privilege does not override the "Always
maintain sort order" settings in the sort page of the settings notebook.
Arrange
Check this box to grant user access to the Arrange item in the folder's
pop-up menu. Deny this privilege to prevent the user from rearranging the
objects in the folder.
Find
Check this box to grant user access to the Find... item in the folder's
pop-up menu. Deny this privilege to prevent the user from performing find
operations from the pop-up menu.
Details view
Check this box to allow the user to open a folder's Details View Remove the
check to prevent the user from opening the object's details view.
Tree view
Check this box to allow the user to open the folder's Tree View Remove the
check to prevent the user from opening the Tree view.
Open Parent
Check this box to grant user access to the Open Parent pop-up menu Item.
Remove the check to prevent the user from opening the folder's parent.
See Also.
o Basic Privileges
o Desktop menu privileges
o Disk menu privileges
o Adding User Privileges
o Changing User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.3. Deskop Menu privileges ΓòÉΓòÉΓòÉ
The desktop menu privilege page lets you assign user privileges to pop-up menu
items that are unique to a desktop. Each checkbox controls a different pop-up
menu item. These items behave as follows:
Shutdown
Check this box to grant user access to the Shutdown item in the desktop's
pop-up menu. Deny this privilege to prevent the user from performing a
system shutdown from the desktop pop-up menu. You can still perform a
system shutdown with the SHUTDOWN.EXE program provided with The Secure
Workplace.
Lockup
Check this box to grant user access to the Lockup Now item in the desktop's
pop-up menu. Deny this privilege to prevent the user from manually locking
the desktop. This privilege does not override the Lock on startup or
Automatic lockup settings in the lockup page of the settings notebook.
System Setup
Check this box to grant user access to the System Setup item in the
desktop's pop-up menu. Deny this privilege to prevent the user from gaining
access to the system setup folder from the desktop's pop-up menu. This
privilege does not override any privilege you assign to the system setup
folder or its parent folders.
See Also.
o Basic Privileges
o Folder menu privileges
o Disk menu privileges
o Adding User Privileges
o Changing User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.4. Disk Menu privileges ΓòÉΓòÉΓòÉ
The disk menu privilege page lets you assign user privileges to pop-up menu
items that are unique to disk objects. Each checkbox controls a different
pop-up menu item. These items behave as follows:
Check Disk
Check this box to grant user access to the Check Disk item in the disk's
pop-up menu. Deny this privilege to prevent the user from performing a
check disk from the pop-up menu.
Format Disk
Check this box to grant user access to the Format Disk item in the disk's
pop-up menu. Deny this privilege to prevent the user from performing a
format disk from the pop-up menu.
Copy Disk
Check this box to grant user access to the Copy Disk item in the disk's
pop-up menu. Deny this privilege to prevent the user from copying disks.
Partition Disk
Check this box to grant user access to the Partition Disk item in the
Drives's pop-up menu.
See Also.
o Basic Privileges
o Folder menu privileges
o Desktop menu privileges
o Adding User Privileges
o Changing User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.5. Adding a privilege ΓòÉΓòÉΓòÉ
Follow the procedure below to add a user privilege to an object.
1. Open the object's settings notebook.
2. Turn to the Privilege tab.
3. Bring up the user list by pressing the drop down button to the right of
the user entry field.
4. Select the user or group that will receive the privilege.
Users have a prefix of (U), and groups have a prefix of (G).
5. Check the privileges you want to grant.
6. If Page 2 exists, turn to page 2.
7. Check the folder menu privileges you want to grant.
8. If page 3 exists, turn to page 3.
9. Check the privileges you want to grant.
10. Return to page 1.
11. Press the Add button.
12. Repeat this procedure for each user user or group who will be granted a
privilege.
See Also:
o Basic Privileges
o Folder Privileges
o Desktop Privileges
o Disk Privileges
o Changing User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.6. Changing a user privilege ΓòÉΓòÉΓòÉ
Follow the procedure below to change a user's privilege to an object.
1. Open the object's settings notebook.
2. Turn to the Privilege tab.
3. Bring up the user list by pressing the drop down button to the right of
the User entry field.
4. Select the user or group that will receive the privilege.
Users have a prefix of (U), and groups have a prefix of (G).
5. Check the privileges you want to grant.
6. If Page 2 exists, turn to page 2.
7. Check the folder menu privileges you want to grant.
8. If page 3 exists, turn to it.
9. Check the menu privileges you want to grant.
10. Return to page 1.
11. Press the Save button.
See Also:
o Basic Privileges
o Folder Privileges
o Desktop Privileges
o Disk Privileges
o Adding User Privileges
o Deleting User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.7. Deleting a user Privilege ΓòÉΓòÉΓòÉ
Follow the procedure below to delete a user's privilege to an object.
1. Open the object's settings notebook.
2. Turn to the Privilege tab.
3. Bring up the user list by pressing the drop down button to the right of
the User entry field.
4. Select the user or group from the drop down list.
Users have a prefix of (U), and groups have a prefix of (G).
5. Press the Delete button.
6. Repeat this procedure for each user whose privilege you want to delete.
See Also:
o Basic Privileges
o Folder Privileges
o Desktop Privileges
o Disk Privileges
o Adding User Privileges
o Changing User Privileges
o Simple Instructions for Granting User Privileges
ΓòÉΓòÉΓòÉ 4.8. Simple instructions for granting user privileges ΓòÉΓòÉΓòÉ
These instructions are intended to get you started quickly and to demonstrate a
simple but effective security policy. You can use the environment or expand it
to fit your needs.
1. Signon as an Administrator.
2. Open the Security Administration notebook and turn to the Policy page.
3. Remove the checkmark from the Grant public privilges by default box.
4. Configure any other policies you require. The Screen Saver is a handy
feature to select.
5. Turn to the User tab.
6. Add at least one administrator.
7. Add as many users as you require. Skip this step if you decide to use
Single Sign-on. If you are working with a notebook computer then add users
who can take the notebook away.
8. Turn to the Groups Tab.
9. Add a group that includes everyone. Lets say you called the group
EVERYONE. This EVERYONE group includes all users even ones that have not
been defined yet. It includes users that are authenticated by your Single
Signon procedure, but who do not have a local definition.
10. Close the Security Administration notebook.
11. Open the Desktop settings notebook.
12. Turn to the Privileges Tab.
13. Select the EVERYONE group (ie.(G)EVERYONE).
14. Grant Visible, Open, and Execute Privileges on page 1.
15. Grant Sort and Arrange on page 2.
16. Grant Lockup and Shutdown on page 3.
17. Return to page 1 and press the Add Button.
18. Close the desktop settings notebook.
19. Open the OS/2 System folder's settings notebook.
20. Turn to the Privileges Tab.
21. Select the EVERYONE Group.
22. Deny all Privileges and Press the Add Button.
23. Move all objects you want to protect into the OS/2 System folder.
Be sure to move The Secure Workplace folder. and the Command Prompts
folder into the OS/2 System folder.
24. You are done.
25. Test the configuration by signing on as different users.
The OS/2 System folder will be invisible to everyone except
administrators.
Adding Launchpad Restrictions
Althought these instructions are optional, you might find them convenient.
1. Open the Launchpad settings notebook and turn to page 2 of the options
tab.
2. Select the Do not display actions button
3. Close the launch pad notebook.
4. Open your CONFIG.SYS file with the system editor.
5. Remove the LAUNCHPAD option from the AUTOSTART line.
6. Save the CONFIG.SYS file.
7. Reboot your computer.
Adding another group of users with additonal privileges
The procedure above created two groups of users. These are Administrators and
everyone else. Suppose you have a third group that needs additonal privileges
you do not want to grant to EVERYONE. Here is a procedure you can expand on:
1. Open the Security Administration notebook turn to the Groups tab.
2. Add a group that includes only the users you want to work with. Lets call
this group SUPERUSERS for want of a better name. You can make-up your own
name to fit your requirements.
3. Create a folder that will contain the objects SUPERUSERS can access. Lets
call the folder SupersOnly
4. Move what-ever objects the SUPERUSER group needs into this folder.
5. Open the SupersOnly settings notebook.
6. Turn to the Privileges Tab.
7. Select the SUPERUSER group.
8. Grant Visible, Open, Execute, Sort and Arrange.
9. Press the Add button.
10. Select the SUPERUSER group.
11. Deny ALL Privileges.
12. Press the Add button.
13. Close the settings notebook.
14. You are done.
15. Test the configuration.
When a member of the SUPERUSER group signs-on the SupersOnly folder will
be visible. When any other user signs-on the folder will be invisible.
See Also:
o Basic Privileges
o Folder Privileges
o Desktop Privileges
o Disk Privileges
o Adding User Privileges
o Changing User Privileges
o Deleting User Privileges